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Introduction 


Chairman Ratcliffe, Chairman Perry, Ranking Member Richmond, Ranking Member Correa, 
and distinguished Members of the Subcommittees, thank you for the opportunity to appear 
before you today to address cybersecurity workforce issues at the Department of Homeland 
Security (DHS). 

We are the Department’s Chief Human Capital Officer and Director of Human Resources for the 
National Protection and Programs Directorate (NPPD). Together, we have over 50 years of 
experience in federal human resources. 

We both support the Department’s human capital program, which includes human resources 
policies and programs; strategic workforce planning and analysis; recruitment and hiring; pay 
and leave; performance management; employee development; executive resources; employee 
and labor relations; workforce health and safety; diversity and inclusion; and human resources 
information technology. We also oversee the human resources operational offices delivering all 
of the aforementioned services to Headquarters and NPPD employees. 

As Secretary Nielsen stated during her November 2017 confirmation hearing, “.. .one of the 
most significant [aspects of the Department’s mission] for our Nation’s future is 
cybersecurity... The scope and pace of cyberattacks against our federal networks and the control 
systems that run our critical infrastructure are continually increasing, with attacks growing 
evermore complex and each more sophisticated than the last. Cyber criminals and nation states 
are continually looking for ways to exploit our hyper connectivity and reliance on IT systems.” 

The Department cannot strengthen the Nation’s cybersecurity and successfully confront the 
threats Secretary Nielsen described without the creativity, intellect, and dedication of world-class 
cybersecurity experts. For that reason, supporting the human capital needs of the Department’s 
cybersecurity workforce is a top priority for senior leadership, including the Secretary. 

The Department faces intense competition for cybersecurity talent, and studies continue to make 
headlines by quantifying current shortages of specific cybersecurity skills and projecting future 
talent gaps. We recognize the difficulty of securing the right cybersecurity talent today and 
tomorrow, but we must proceed with urgency and ingenuity. We are committed to thoroughly 
understanding our workforce requirements and implementing the best possible human capital 
solutions to recruit, retain, and manage the cybersecurity talent our mission demands. Our teams 
work closely with human capital and cybersecurity technical leadership across the Department, 
including within NPPD, and with the Chief Information Officer (CIO), and our Component CIOs 
on three priorities: 

1. Analyze and Plan for our complex set of cybersecurity talent needs; 

2. Recruit and Retain highly qualified employees with capabilities vital to mission success; 
and 

3. Innovate by implementing a new 21 st century personnel system to revolutionize 
cybersecurity talent management. 
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Analyze and Plan 


To effectively manage a workforce, one must begin with a comprehensive analysis of mission 
and talent requirements. We would like to thank Congress for your attention to cybersecurity 
workforce planning through the passage of several laws since 2014, and we would like to thank 
the Government Accountability Office (GAO) for their recent review of the Department’s 
implementation of one of those laws, the Homeland Security Cybersecurity Workforce 
Assessment Act of 2014. Emphasizing the importance of these issues helps us focus all of DHS 
on a path forward. 

Over the last decade, DHS has taken a variety of steps to better understand and document our 
cybersecurity workforce, but as GAO outlined in their February 6, 2018 report ( Cybersecurity 
Workforce: Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill 
Requirements ), there is more work to be done—and done quickly. 

As described in the Department’s response letter, we concur with GAO’s six recommendations, 
and we have taken a series of actions to address each of them. Each Component designated a 
lead cybersecurity workforce official, developed updated position coding guidance, and stepped 
up communications with Component stakeholders critical to ensuring positions are accurately 
identified, coded, and tracked. Additionally, we continue to engage Component senior leaders 
through the Cyber Workforce Coordinating Council, comprised of senior membership from both 
the Component CIO and human resources communities, and the Cybersecurity Technical 
Review Board, a working-level, cross-Component group to reinforce accountability and 
awareness. We also reach out quarterly to advise Components of their coding progress, validate 
coding data, and address problems in an effort to improve our progress and the accuracy of our 
data in this area. 

Notably, the Department’s cybersecurity workforce planning efforts and GAO’s report focus 
heavily on the National Initiative for Cybersecurity Education (NICE) Workforce Framework 
(NICE Framework). NICE, led by the National Institute of Standards and Technology (NIST) of 
the U.S. Department of Commerce, is a partnership between government, academia, and the 
private sector working to energize and promote cybersecurity education, training, and workforce 
development. The NICE Framework is a reference structure that describes the interdisciplinary 
nature of cybersecurity, and it uses a common, consistent lexicon to categorize and describe 
cybersecurity work, including information key knowledge, skills, and abilities. In 2013, the 
Office of Personnel Management (OPM) and NICE began collaborating to ensure agencies could 
code their federal positions according to the NICE Framework in the human resources 
information technology (HRIT) systems of shared service providers. 

Currently, the Department is focused on transitioning from two-digit position codes based on the 
original version of the Framework to the new three-digit, role-based position codes aligned to the 
latest version of the Framework. In doing so, DHS is revising personnel records with our shared 
service provider (the National Finance Center) that made system updates to accommodate three- 
digit codes at the end of 2017. 

We acknowledge GAO’s focus on the importance of coding vacant positions associated with 
cybersecurity work, and we have charted a path to do so. Fortunately, the Department has 
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broader efforts underway to ensure accurate documentation of all DHS position requirements, 
including vacant positions. While DHS does not have an enterprise-wide, automated solution to 
support such work, we continue to set and refine data standards with Components, patch together 
multiple datasets, and lay the groundwork for a future solution as part of our Strategic 
Improvement Opportunities (SIOs) process for the DHS HRIT program. We believe that linking 
cybersecurity position identification, coding, and tracking with our ambitious position 
management project will help to accelerate both initiatives. 

In the coming months, we have a series of actions planned with Components to ensure they 
enter, validate, and then analyze their data to determine critical gaps. Ongoing workforce 
planning efforts have demonstrated that the DHS cybersecurity workforce is complex and varied. 
We have identified a total population of over 7,400 federal civilian positions, as well as over 
2,800 United States Coast Guard military positions and 4,800 contractor positions. The federal 
civilian population includes 18 Components and organizations and covers over 40 federal 
occupational series, and all 33 specialty areas of the NICE Cybersecurity Workforce Framework. 
When we apply the NICE Framework, the most populous category and specialty area codes at 
DHS—each associated with more than 250 positions/employees—are Investigation, Information 
Assurance/Compliance, Digital Forensics, Securely Provision, and Operate and Maintain. 

Past data calls have identified a great deal of information about Component recruitment and 
retention challenges and staffing gaps. For the population of 7,400 civilian positions, we are 
averaging a vacancy rate of 10 percent and an attrition rate of five percent, but in some 
Components, both rates are regularly above 20 percent. In addition, Components have cited all 
portions of the NICE Cybersecurity Workforce Framework to describe their current and 
projected shortages of positions/employees. 

DHS must now dig deeper to isolate and monitor priority skills and mission roles, including 
those where shortages exist or are anticipated. The Framework is a helpful tool for describing 
critical roles and shortages, but we cannot stop there. Some DHS cybersecurity work is highly 
specialized, requiring industry, sector, or mission specific skills and knowledge not captured by 
the Framework’s general structures and definitions. In cases where DHS work is unique or 
specificity is critical to describing the talent needed to meet the Department’s mission objectives, 
DHS will document such detail, and, as appropriate, report it to Congress along with the data 
elements outlined in statute. 

Recruit and Retain 


Our understanding of both our current and future workforce needs informs our recruitment and 
retention strategy. The Department must ensure we are attracting, hiring, and keeping the best 
cybersecurity talent, and given the competitive cybersecurity labor market, DHS must leverage 
all available tools to ensure we keep attrition and vacancy rates at acceptable levels. OCHCO 
has a team dedicated to attracting talent to the Department by improving our employment brand 
and developing and implementing Department-wide recruitment strategies, to include the use of 
available hiring flexibilities such as the DHS Schedule A cybersecurity hiring authority and the 
government-wide IT (information security) direct hire authority. 

OCHCO works closely with recruiters and human capital leadership from across Components, 
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and holds regular meetings of our Corporate Recruiting Council. This Council oversees the 
creation and monitoring of targeted recruitment plans for specific DHS mission critical 
occupations, including cybersecurity. As part of a long-term effort to improve cybersecurity 
recruiting, our staffs manage cybersecurity pipeline development and outreach activities focused 
on two- and four-year academic institutions, including the National Centers of Academic 
Excellence in Cyber Defense and Cyber Operations, national and local community 
organizations, and professional associations. In fiscal year (FY) 2017 and FY 2018 to date, we 
have engaged with over 1,300 students from 122 academic institutions, including 40 National 
Centers of Academic Excellence. 

In addition, OCHCO operates the Secretary’s Honors Program Cyber Student Volunteer 
Initiative, which offers students temporary assignments in DHS cybersecurity-focused field 
offices. Approximately 6,500 students from over 400 academic institutions have applied to the 
program since its inception in 2013, and 258 have completed assignments alongside our 
cybersecurity professionals. While this is a great starter program, we are enhancing and 
expanding Component-specific and government-wide programs, such as the Intelligence & 
Analysis Internship Program and the CyberCorps®: Scholarship for Service program. Now, 
thanks to Congressional support, all are paid internships that lead to full-time federal/DHS 
cyber-specific jobs. 

Creating interest in DHS cybersecurity work and attracting top applicants is only part of the 
recruitment equation. Reducing the burden and length of the hiring process for candidates is 
equally critical. DHS is focusing on hiring process improvement for all occupations, including 
those related to cybersecurity and information technology. Our teams have worked to gather all 
available hiring process data to assist Components in identifying barriers, reengineering steps, 
setting better operational targets, and identifying opportunities for additional automation. We 
are also focusing on forging smart partnerships across DHS Components, lines of business, and 
federal agencies to ensure that DHS human resources personnel are aware of leading practices 
and can collaborate to achieve economies of scale. 

One of the key hiring improvement strategies we have deployed is joint recruiting and special 
hiring events. The Department has held successful joint cybersecurity, veterans, intern and 
recent graduate events that brought together multiple Components to a single location enabling 
onsite interviews and on-the-spot tentative job offers in the same day. As a direct result of these 
events, the Department was able to hire nearly 700 new employees with a reduced time-to-hire. 
With the cybersecurity event alone, we were able to bring onboard approximately 300 
employees, cutting the time-to-hire by up to six weeks in most cases. The Department has also 
ramped up participation in similar hiring events with federal partners, including the 
CyberCorps®: Scholarship for Service Job Fair and Federal CIO Council’s Federal Tech/Cyber 
Hiring and Recruitment Event. Based on previous success, the Department will hold another 
DHS cybersecurity hiring event later this year in Washington, D.C. 

Innovative interventions to speed hiring and reduce vacancies are just the first part of a larger 
Departmental strategy to do cybersecurity human capital better and smarter. Human capital 
flexibilities are most useful when human resources practitioners understand them and deploy 
them appropriately to target the Department’s most critical job candidates and personnel. We 
remain committed to ensuring that the DHS human resources community receives additional 
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cybersecurity-focused training and guidance. 

Since 2016, OCHCO has released over 15 simplified guidance documents to help human capital 
and cybersecurity personnel across the Department understand existing human capital tools, such 
as direct hire authority and recruitment incentives; dispel myths; and identify how these human 
capital tools can best support cybersecurity talent. Furthermore, we are working closely with 
OPM and other DHS Component human resources directors to ensure human resources 
specialists across DHS stay on the forefront of any new developments and understand the full set 
of recruitment and retention tools at their disposal. For example, we are building a DHS HR 
Academy with both formal and informal training as well as rotational and internship 
opportunities. The Department rolled out the first Academy course in data analytics in the fall of 
2017, and we anticipate delivering career path guides by the summer of 2018. 

In addition to increased training on all available retention flexibilities, we are working with 
human capital leadership across Components on specific retention interventions. In 2017, 
OCHCO built upon successful NPPD practices and released a Department-wide retention 
incentive plan for cybersecurity employees, which should help Components retain highly skilled 
talent by financially recognizing the significant training and certification accomplishments of 
employees. We are also exploring ways to increase the use of student loan repayment and 
tuition assistance, and with OPM and the rest of the federal human resources community, we are 
considering possible compensation flexibilities. 

Despite current and past efforts, we find that attrition rates for cybersecurity professionals in 
some DHS organizations remain much higher than the rates for other occupations. Our analysis 
indicates that work in the field of cybersecurity is increasingly project-based, and we recognize 
that the prospect of a decades-long federal civil service career may not appeal to cybersecurity 
professionals. We are passionate about continuing to explore these retention challenges with 
experts in both human capital and cybersecurity across Components. 

Innovate 


While we are committed to developing some immediate fixes with DHS human capital and 
cybersecurity leadership, our primary cybersecurity human capital focus is accelerating the 
implementation of a new cybersecurity-focused personnel system, which will change the 
methods, policies and process used to recruit, hire, retain, and develop cybersecurity employees. 
We believe this will revolutionize how DHS hires, manages, and retains our best cybersecurity 
talent. 

The Department appreciates that Congress passed the Border Patrol Agent Pay Reform Act of 
2014. Section 3 amended the Homeland Security Act of2002 to grant the Secretary the authority 
to create a cybersecurity focused personnel system exempt from many of the restrictions 
governing the conventional civil service. This authority allows for a variety of human capital 
management changes, including alternative methods for defining jobs, conducting hiring, and 
compensating employees. 

Department leadership is aware of the time that has elapsed since the law’s passage. We also 
recognize that implementing such an authority represents new territory and is a significant 
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personnel transformation for the Department. Successful design, implementation, and 
maintenance of a new federal personnel system is extremely complex, and requires highly 
specialized federal human capital expertise. The design and subsequent implementation and 
execution of such a system all present unique challenges that require technical knowledge related 
to pay setting and administration, labor market analysis, psychometric research, regulation 
drafting, change management, etc. Despite these challenges, we are making progress in 
implementing such a system. 

After Congress granted the Secretary this additional authority, the Department began an initial 
research and analysis process that included benchmarking with other federal agencies, fact 
finding with the Department of Defense and OPM, and the development of a slate of possible 
human capital changes. Since both of us arrived at DHS in 2016, we have redoubled the effort to 
source specialized talent for the project, and OCHCO established a dedicated human capital 
policy team, which includes a well experienced, senior advisory cadre. We have strengthened 
the Department’s collaboration with OPM, and established regular working meetings between 
OCHCO, OPM, and the DHS Office of the General Counsel. In addition, the Deputy Under 
Secretary for Management reinitiated the Cyber Workforce Coordinating Council, which as 
previously mentioned, includes membership from both the Component CIO and human resources 
communities. 

Our teams have completed research on all the major alternative personnel systems since the 
1970s, and by combining leading practices and many new ideas, have designed a flexible, 
twenty-first century personnel system tailored to the evolving, project-based field of 
cybersecurity. Our conclusion is that the current civil service system cannot adequately address 
the cybersecurity talent challenges the Department faces, and making simple modifications or 
cosmetic changes to the current Title 5, will not suffice. 

The General Schedule (GS) was created by the Classification Act of 1949, during the Truman 
Administration, but in reality, many of its foundational principles date back to the Classification 
Act of 1923. The federal workforce is no longer primarily composed of narrowly defined, 
clerical jobs, and we are not using long tables of clerks or a secretarial pool to combat 
cybersecurity threats. If we are to attract, hire, compensate, and retain top cybersecurity talent, 
we need to recognize a variety of truths, including: 

• Jobs are becoming increasingly non-standard and complex; 

• Employee expectations no longer map to the 30-year federal career; and 

• A highly competitive labor market exists for cybersecurity talent—of which the Federal 
Government is only one employer. 

To modernize the civil service for cybersecurity work, we need to revisit some of the 
foundational theories and structures that underlie how we have managed federal human capital 
for decades, and we need to update them for the 21 st century. Some key shifts include: 

• Streamlined, Proactive Hiring 

o 20 th Century: Recruitment is focused on posting a position-specific 

announcement, praying the right candidates apply, allowing candidates to self¬ 
rate their skills, and comparing applicants to rigid—often outdated—occupation- 
based standards 

o 21 st Century: Strategically recruit from a variety of sources on an ongoing basis, 
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and use up-to-date, cybersecurity-focused standards and validated tools to screen, 
assess, and select talent 

• Market-Sensitive Pay 

o 20 th Century: GS pay rules are based on tenure, and apply regardless of the field 
of work 

o 21 st Century: Increase the focus on an individual’s knowledge, skills, and 
capabilities and use a pay structure and compensation procedures that are 
designed with the cybersecurity labor market in mind 

• Flexible, Dynamic Career Paths 

o 20 th Century: Temporary assignments and details are exceptions to the norm, and 
static career paths limit advancement to a single occupational series or vertical, 
tenure-based career ladder 

o 21 st Century: Accommodate dynamic careers with streamlined movement 
between the government and private sector, across Components, and through a 
variety of permanent/non-permanent assignments 

• Development-Focused Performance Management 

o 20 th Century: The annual performance assessment is the main opportunity for 
award and pay progression, and the process has become complex and burdened 
with paperwork 

o 21 st Century: Simplify annual performance ratings, and focus more on 

continuous, development-focused feedback about employee contributions and 
skills increases to inform adjustments to pay, assignments, etc. 

We are working with the Deputy Under Secretary for Management, the Assistant Secretary for 
Cybersecurity and Communications, the CIO, and the Cyber Workforce Coordinating Council to 
finalize the personnel system. The new system will ultimately serve front-line cybersecurity 
professionals, so it is critical that all interested parties at the Department provide input and have 
a stake in our shared solution. The Secretary, in coordination with the Acting Director of OPM, 
is also working to prescribe regulations for the administration of the new system. While we 
engage in the regulatory process, we are dedicated to a host of technical human capital analysis, 
policy development, and change management activities to ensure that we launch a system that 
will be legally defensible, better reflect the needs of high-caliber cybersecurity talent, and 
enhance the Department’s ability to execute its mission. 

The implementation effort has momentum, but we are seeking to increase our pace. The 
cybersecurity threats facing our Nation will not pause while we evolve the Department’s 
approach to cybersecurity human capital. We are committed to making our new cybersecurity 
service personnel system operational and we would like to increase our collaboration with 
Congress, including these Subcommittees, to keep you informed of the progress we make and 
the obstacles we encounter. 

Thank you again for your interest in our Nation’s cybersecurity and your continued support of 
the Department’s cybersecurity responsibilities and the employees charged with executing them. 



